Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6-0]: src Pull up revisions:
details: https://anonhg.NetBSD.org/src/rev/8a859bb6f336
branches: netbsd-6-0
changeset: 774824:8a859bb6f336
user: jdc <jdc%NetBSD.org@localhost>
date: Mon Jul 08 07:40:34 2013 +0000
description:
Pull up revisions:
src/share/man/man7/sysctl.7 revision 1.73 via patch
src/sys/netinet6/icmp6.c revision 1.161 via patch
src/sys/netinet6/in6.c revision 1.161 via patch
src/sys/netinet6/in6_proto.c revision 1.97 via patch
src/sys/netinet6/in6_var.h revision 1.65 via patch
src/sys/netinet6/ip6_input.c revision 1.139 via patch
src/sys/netinet6/ip6_var.h revision 1.59 via patch
src/sys/netinet6/nd6.c revision 1.143 via patch
src/sys/netinet6/nd6.h revision 1.57 via patch
src/sys/netinet6/nd6_rtr.c revision 1.83 via patch
(requested by christos in ticket #905).
Patch by Loganaden Velvindron.
4 new sysctls to avoid ipv6 DoS attacks from OpenBSD
diffstat:
share/man/man7/sysctl.7 | 24 +++++++++++++-
sys/netinet6/icmp6.c | 6 ++-
sys/netinet6/in6.c | 6 ++-
sys/netinet6/in6_proto.c | 8 +++-
sys/netinet6/in6_var.h | 4 +-
sys/netinet6/ip6_input.c | 36 ++++++++++++++++++++-
sys/netinet6/ip6_var.h | 6 +++-
sys/netinet6/nd6.c | 54 ++++++++++++++++++++++++++++++-
sys/netinet6/nd6.h | 5 ++-
sys/netinet6/nd6_rtr.c | 79 +++++++++++++++++++++++++++++++++++++++++++++--
10 files changed, 208 insertions(+), 20 deletions(-)
diffs (truncated from 524 to 300 lines):
diff -r 11c0172309c6 -r 8a859bb6f336 share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7 Thu Jun 27 01:27:56 2013 +0000
+++ b/share/man/man7/sysctl.7 Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: sysctl.7,v 1.68 2011/11/03 00:29:00 jym Exp $
+.\" $NetBSD: sysctl.7,v 1.68.6.1 2013/07/08 07:40:34 jdc Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
.\"
-.Dd September 24, 2011
+.Dd June 22, 2012
.Dt SYSCTL 7
.Os
.Sh NAME
@@ -1212,8 +1212,12 @@
.It ip hostzerobroadcast integer yes
.It ip lowportmin integer yes
.It ip lowportmax integer yes
+.It ip6 maxdynroutes integer yes
+.It ip6 maxifprefixes integer yes
+.It ip6 maxifdefrouters integer yes
.It ip maxflows integer yes
.It ip maxfragpackets integer yes
+.It ip6 neighborgcthresh integer yes
.It ip mtudisc integer yes
.It ip mtudisctimeout integer yes
.It ip random_id integer yes
@@ -1687,6 +1691,18 @@
This cannot be set to less than 0 or greater than 1024, and must
be smaller than
.Li ip6.lowportmax .
+.It Li ip6.maxdynroutes
+Maximum number of routes created by redirect.
+Set it to negative to disable.
+The default value is 4096.
+.It Li ip6.maxifprefixes
+Maximum number of prefixes created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
+.It Li ip6.maxifdefrouters 16
+Maximum number of default routers created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
.It Li ip6.maxflows
IPv6 Fast Forwarding is enabled by default.
If set to 0, IPv6 Fast Forwarding is disabled.
@@ -1703,6 +1719,10 @@
0 means that the node will not accept any fragments.
\-1 means that the node will accept as many fragments as it receives.
The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip6.neighborgcthresh
+Maximum number of entries in neighbor cache.
+Set to negative to disable.
+The default value is 2048.
.It Li ip6.redirect
If set to 1, ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP packets,
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/icmp6.c Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $ */
+/* $NetBSD: icmp6.c,v 1.159.6.1 2013/07/08 07:40:34 jdc Exp $ */
/* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159.6.1 2013/07/08 07:40:34 jdc Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@@ -2284,6 +2284,8 @@
* (there will be additional hops, though).
*/
rtcount = rt_timer_count(icmp6_redirect_timeout_q);
+ if (0 <= ip6_maxdynroutes && rtcount >= ip6_maxdynroutes)
+ goto freeit;
if (0 <= icmp6_redirect_hiwat && rtcount > icmp6_redirect_hiwat)
return;
else if (0 <= icmp6_redirect_lowat &&
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/in6.c
--- a/sys/netinet6/in6.c Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/in6.c Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in6.c,v 1.159 2011/11/19 22:51:26 tls Exp $ */
+/* $NetBSD: in6.c,v 1.159.8.1 2013/07/08 07:40:34 jdc Exp $ */
/* $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.159 2011/11/19 22:51:26 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.159.8.1 2013/07/08 07:40:34 jdc Exp $");
#include "opt_inet.h"
#include "opt_pfil_hooks.h"
@@ -2281,6 +2281,8 @@
ext->nd_ifinfo = nd6_ifattach(ifp);
ext->scope6_id = scope6_ifattach(ifp);
+ ext->nprefixes = 0;
+ ext->ndefrouters = 0;
return ext;
}
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/in6_proto.c
--- a/sys/netinet6/in6_proto.c Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/in6_proto.c Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in6_proto.c,v 1.95 2011/12/31 20:41:59 christos Exp $ */
+/* $NetBSD: in6_proto.c,v 1.95.6.1 2013/07/08 07:40:34 jdc Exp $ */
/* $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.95 2011/12/31 20:41:59 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.95.6.1 2013/07/08 07:40:34 jdc Exp $");
#include "opt_gateway.h"
#include "opt_inet.h"
@@ -475,6 +475,10 @@
* walk list every 5 sec. */
int ip6_mcast_pmtu = 0; /* enable pMTU discovery for multicast? */
int ip6_v6only = 1;
+int ip6_neighborgcthresh = 2048; /* Threshold # of NDP entries for GC */
+int ip6_maxifprefixes = 16; /* Max acceptable prefixes via RA per IF */
+int ip6_maxifdefrouters = 16; /* Max acceptable def routers via RA */
+int ip6_maxdynroutes = 4096; /* Max # of routes created via redirect */
int ip6_keepfaith = 0;
time_t ip6_log_time = 0;
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/in6_var.h
--- a/sys/netinet6/in6_var.h Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/in6_var.h Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in6_var.h,v 1.64 2009/01/15 23:22:15 christos Exp $ */
+/* $NetBSD: in6_var.h,v 1.64.24.1 2013/07/08 07:40:34 jdc Exp $ */
/* $KAME: in6_var.h,v 1.81 2002/06/08 11:16:51 itojun Exp $ */
/*
@@ -94,6 +94,8 @@
struct icmp6_ifstat *icmp6_ifstat;
struct nd_ifinfo *nd_ifinfo;
struct scope6_id *scope6_id;
+ int nprefixes;
+ int ndefrouters;
};
struct in6_ifaddr {
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/ip6_input.c Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.136 2012/01/10 20:01:56 drochner Exp $ */
+/* $NetBSD: ip6_input.c,v 1.136.6.1 2013/07/08 07:40:34 jdc Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136 2012/01/10 20:01:56 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.6.1 2013/07/08 07:40:34 jdc Exp $");
#include "opt_gateway.h"
#include "opt_inet.h"
@@ -1989,6 +1989,38 @@
CTL_NET, PF_INET6, IPPROTO_IPV6,
CTL_CREATE, CTL_EOL);
#endif
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "neighborgcthresh",
+ SYSCTL_DESCR("Maximum number of entries in neighbor"
+ " cache"),
+ NULL, 1, &ip6_neighborgcthresh, 0,
+ CTL_NET, PF_INET6, IPPROTO_IPV6,
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "maxifprefixes",
+ SYSCTL_DESCR("Maximum number of prefixes created by"
+ " route advertisement per interface"),
+ NULL, 1, &ip6_maxifprefixes, 0,
+ CTL_NET, PF_INET6, IPPROTO_IPV6,
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "maxifdefrouters",
+ SYSCTL_DESCR("Maximum number of default routers created"
+ " by route advertisement per interface"),
+ NULL, 1, &ip6_maxifdefrouters, 0,
+ CTL_NET, PF_INET6, IPPROTO_IPV6,
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "maxdynroutes",
+ SYSCTL_DESCR("Maximum number of routes created via"
+ " redirect"),
+ NULL, 1, &ip6_maxdynroutes, 0,
+ CTL_NET, PF_INET6, IPPROTO_IPV6,
+ CTL_CREATE, CTL_EOL);
}
void
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/ip6_var.h
--- a/sys/netinet6/ip6_var.h Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/ip6_var.h Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_var.h,v 1.58 2012/01/19 13:19:34 liamjfoy Exp $ */
+/* $NetBSD: ip6_var.h,v 1.58.6.1 2013/07/08 07:40:34 jdc Exp $ */
/* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */
/*
@@ -272,6 +272,10 @@
* walk list every 5 sec. */
extern int ip6_mcast_pmtu; /* enable pMTU discovery for multicast? */
extern int ip6_v6only;
+extern int ip6_neighborgcthresh; /* Threshold # of NDP entries for GC */
+extern int ip6_maxifprefixes; /* Max acceptable prefixes via RA per IF */
+extern int ip6_maxifdefrouters; /* Max acceptable def routers via RA */
+extern int ip6_maxdynroutes; /* Max # of routes created via redirect */
extern struct socket *ip6_mrouter; /* multicast routing daemon */
extern int ip6_sendredirects; /* send IP redirects when forwarding? */
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/nd6.c
--- a/sys/netinet6/nd6.c Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/nd6.c Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: nd6.c,v 1.141 2012/02/03 03:32:45 christos Exp $ */
+/* $NetBSD: nd6.c,v 1.141.6.1 2013/07/08 07:40:34 jdc Exp $ */
/* $KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.141 2012/02/03 03:32:45 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.141.6.1 2013/07/08 07:40:34 jdc Exp $");
#include "opt_ipsec.h"
@@ -135,6 +135,17 @@
MALLOC_DEFINE(M_IP6NDP, "NDP", "IPv6 Neighbour Discovery");
+#define LN_DEQUEUE(ln) do { \
+ (ln)->ln_next->ln_prev = (ln)->ln_prev; \
+ (ln)->ln_prev->ln_next = (ln)->ln_next; \
+ } while (/*CONSTCOND*/0)
+#define LN_INSERTHEAD(ln) do { \
+ (ln)->ln_next = llinfo_nd6.ln_next; \
+ llinfo_nd6.ln_next = (ln); \
+ (ln)->ln_prev = &llinfo_nd6; \
+ (ln)->ln_next->ln_prev = (ln); \
+ } while (/*CONSTCOND*/0)
+
void
nd6_init(void)
{
@@ -476,7 +487,7 @@
nd6_llinfo_settimer(ln, (long)nd6_gctimer * hz);
}
break;
-
+ case ND6_LLINFO_PURGE:
case ND6_LLINFO_STALE:
/* Garbage Collection(RFC 2461 5.3) */
if (!ND6_LLINFO_PERMANENT(ln)) {
@@ -1336,6 +1347,35 @@
ln->ln_prev = &llinfo_nd6;
ln->ln_next->ln_prev = ln;
+ /*
+ * If we have too many cache entries, initiate immediate
+ * purging for some "less recently used" entries. Note that
+ * we cannot directly call nd6_free() here because it would
+ * cause re-entering rtable related routines triggering an LOR
+ * problem for FreeBSD.
+ */
+ if (ip6_neighborgcthresh >= 0 &&
+ nd6_inuse >= ip6_neighborgcthresh) {
+ int i;
+
+ for (i = 0; i < 10 && llinfo_nd6.ln_prev != ln; i++) {
Home |
Main Index |
Thread Index |
Old Index